Commit ae1d9fb4 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #1512 from tsigo/escape_gfm

Better escaping of text passed into GFM
parents 01974185 345c4d2a
...@@ -12,8 +12,8 @@ module GitlabMarkdownHelper ...@@ -12,8 +12,8 @@ module GitlabMarkdownHelper
# "<a>outer text </a><a>gfm ref</a><a> more outer text</a>"). # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
def link_to_gfm(body, url, html_options = {}) def link_to_gfm(body, url, html_options = {})
return "" if body.blank? return "" if body.blank?
gfm_body = gfm(body, html_options) gfm_body = gfm(escape_once(body), html_options)
gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match| gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
"</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1 "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
......
...@@ -11,10 +11,10 @@ ...@@ -11,10 +11,10 @@
= link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
%strong Browse Code » %strong Browse Code »
%h3.commit-title.page_title %h3.commit-title.page_title
= gfm @commit.title = gfm escape_once(@commit.title)
- if @commit.description.present? - if @commit.description.present?
%pre.commit-description %pre.commit-description
= gfm @commit.description = gfm escape_once(@commit.description)
.commit-info .commit-info
.row .row
.span4 .span4
......
...@@ -5,4 +5,4 @@ ...@@ -5,4 +5,4 @@
%strong.cdark= commit.author_name %strong.cdark= commit.author_name
&ndash; &ndash;
= image_tag gravatar_icon(commit.author_email), class: "avatar", width: 16 = image_tag gravatar_icon(commit.author_email), class: "avatar", width: 16
= gfm truncate(commit.title, length: 50) rescue "--broken encoding" = gfm escape_once(truncate(commit.title, length: 50)) rescue "--broken encoding"
...@@ -31,7 +31,7 @@ ...@@ -31,7 +31,7 @@
.alert-message.error.status_info Closed .alert-message.error.status_info Closed
- else - else
.alert-message.success.status_info Open .alert-message.success.status_info Open
= gfm @issue.title = gfm escape_once(@issue.title)
.middle_box_content .middle_box_content
%cite.cgray Created by %cite.cgray Created by
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
.alert-message.error.status_info Closed .alert-message.error.status_info Closed
- else - else
.alert-message.success.status_info Open .alert-message.success.status_info Open
= gfm @merge_request.title = gfm escape_once(@merge_request.title)
.middle_box_content .middle_box_content
%div %div
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
.alert-message.error.status_info Closed .alert-message.error.status_info Closed
- else - else
.alert-message.success.status_info Open .alert-message.success.status_info Open
= gfm @milestone.title = gfm escape_once(@milestone.title)
%small.right= @milestone.expires_at %small.right= @milestone.expires_at
.middle_box_content .middle_box_content
......
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
%code= commit.short_id %code= commit.short_id
= image_tag gravatar_icon(commit.author_email), class: "", width: 16 = image_tag gravatar_icon(commit.author_email), class: "", width: 16
= gfm truncate(commit.title, length: 40) = gfm escape_once(truncate(commit.title, length: 40))
%span.update-author.right %span.update-author.right
= time_ago_in_words(commit.committed_date) = time_ago_in_words(commit.committed_date)
ago ago
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
= link_to project_commits_path(@project, commit.id) do = link_to project_commits_path(@project, commit.id) do
%code= commit.short_id %code= commit.short_id
= image_tag gravatar_icon(commit.author_email), class: "", width: 16 = image_tag gravatar_icon(commit.author_email), class: "", width: 16
= gfm truncate(commit.title, length: 40) = gfm escape_once(truncate(commit.title, length: 40))
%td %td
%span.right.cgray %span.right.cgray
= time_ago_in_words(commit.committed_date) = time_ago_in_words(commit.committed_date)
......
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
= link_to project_commit_path(@project, commit.id) do = link_to project_commit_path(@project, commit.id) do
%code= commit.short_id %code= commit.short_id
= image_tag gravatar_icon(commit.author_email), class: "", width: 16 = image_tag gravatar_icon(commit.author_email), class: "", width: 16
= gfm truncate(commit.title, length: 40) = gfm escape_once(truncate(commit.title, length: 40))
%td %td
%span.update-author.right %span.update-author.right
= time_ago_in_words(commit.committed_date) = time_ago_in_words(commit.committed_date)
......
...@@ -48,8 +48,10 @@ module Gitlab ...@@ -48,8 +48,10 @@ module Gitlab
def gfm(text, html_options = {}) def gfm(text, html_options = {})
return text if text.nil? return text if text.nil?
# prevents the string supplied through the _text_ argument to be altered # Duplicate the string so we don't alter the original, then call to_str
text = text.dup # to cast it back to a String instead of a SafeBuffer. This is required
# for gsub calls to work as we need them to.
text = text.dup.to_str
@html_options = html_options @html_options = html_options
......
...@@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do ...@@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do
actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo') actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
actual.should have_selector 'a.gfm.gfm-commit.foo' actual.should have_selector 'a.gfm.gfm-commit.foo'
end end
it "escapes HTML passed in as the body" do
actual = "This is a <h1>test</h1> - see ##{issues[0].id}"
link_to_gfm(actual, commit_path).should match('&lt;h1&gt;test&lt;/h1&gt;')
end
end end
describe "#markdown" do describe "#markdown" do
it "should handle references in paragraphs" do it "should handle references in paragraphs" do
markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n" actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n"
expected = project_commit_path(project, commit)
markdown(actual).should match(expected)
end end
it "should handle references in headers" do it "should handle references in headers" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment